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METHOD AND APPARATUS FOR FINITE FIELD BASIS CONVERSION 

The present invention relates to cryptographic systems and more particularly, to 
the conversion of elements in a finite field having one basis to elements of a finite field 
having another basis and wherein the elements are used in a cryptographic operation. 

BACKGROUND OF THE INVENTION 

Cryptographic operations are generally implemented on elements in a finite field. 
Various finite fields are of interest to cryptographers for example, the multiphcative 
groups of prime fields F(p), the multiplicative group of finite fields of characteristic two, 
F(2'') and elliptic curve groups over finite fields, E(Fp) or E{F^„ ) . The elements in a 
given finite field are represented in terms of a basis for the finite field. The bases are also 
elements of the finite field. 

Certain efficiencies may be realized in cryptographic operations by choosing a 
particular set of bases for that finite field. For example, in the finite field two 
common choices of bases of the polynomial basis and a normal basis. A problem arises 
though in the choice of basis since communication between the two parties, although using 
the same cryptographic scheme but having different bases elements, requires the parties to 
perform a basis conversion operation on the field elements in order to obtain the same 
cryptographic result. 

In general, if we let F(q'') be a finite field, where q is a prime or a prime power, the 
degree of the field is n and its order is q"", A basis for the finite field is a set of n elements 
bo , bi,. . .bn-i e Ff*?") such that every element A of the finite field can be represented 
uniquely as a linear combination of basis elements: 

where the at e F(q) are the coefficients. Arithmetic operations are then performed on this 
ordered set of coefficients. 
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It may be seen then generally that by using a different basis, a different ordered set 
of coefficients is used. 

Various techniques have been implemented to convert between two choices of 
basis for a finite field. A conventional approach involves using a matrix multipUcation, 
wherein basis conversion is performed using a change of basis matrix m, resulting in a 
matrix of size m^. If m is typically 160 bits, then this occupies significant storage in 
devices such as a smart card. General finite field techniques are described in the 
''Handbook of Applied Cryptography", CRC Press, 1996 by S.A. Vanstone et al and 
incorporated herein by reference. Other techniques for basis conversion are described in 
United States Patent No. 5,854,759 to KaUski et al, also incorporated herein by reference. 

SUMMARY OF THE INVENTION 

The present invention seeks to provide a method and apparatus for basis 
conversion, that is generally efficient in terms of memory and computation time and is 
particularly adapted for use with smart cards and other low power cryptographic tokens. 

In accordance with this invention, there is provided a method for basis conversion, 
the method comprising the steps of a first correspondent transmitting an element 
represented in a first basis to an intermediate processor; the intermediate processor 
converting the element into a second basis representation; forwarding said converted 
element to the first correspondent; and the first correspondent operating on the converted 
element in a cryptographic operation. 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features of the preferred embodiments of the invention will 
become more apparent in the following detailed description in which reference is made to 
the appended drawings wherein: 

Figure 1 is a schematic diagram of an embodiment of a basis conversion system in 
accordance with the present invention; 

Figure 2 is a schematic diagram of a fiarther embodiment of a basis conversion 
system in accordance with the present invention; and 

Figure 3 is a flow diagram illustrating a key exchange scheme in accordance with 
an embodiment of the invention. 
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DESCRIPTION OF THE PREFERRED EMBODIMENTS 

In a first embodiment, shown in Figure 1 a pair of correspondents are represented 
hyAmdB and an intermediate processor, such as a server, certifying authority or other 
helper processor, is represented by H, It is assumed the correspondents ^ and 5 include 
processors for performing cryptographic operations and the hke that may be implemented 
in hardware or in software operated on a general purpose computer. In this case the 
software may be encoded as a data carrier such as a CD ROM or computer disk for 
loading on to the computer. Specifically, ^ and £ perform cryptographic operations n a 
basis Pi and J32 , respectively. It is further assumed that the respective cryptographic 
parameters are contained within the entities A and B. For example in an elliptic curve 
scheme the system parameters include at least a point P on the elliptic curve, the order of 
the curve and the parameters of the elliptic curve equation E. 

In this embodiment, each of the entities ^ and B generates a respective random 
value ku generally the private session key and each computes a pubUc value kiP, 
represented in terms of their respective bases j3} and y^. One of the entities, A for 
example, transmits its pubhc key tPpi to the server H. The server performs a basis 
conversion utiUzing one of many basis conversion algorithms to convert the pubUc key 
JtPpi represented in basis jSj to a public key kP^i represented in terms of the basis >?2. The 
converted key is transmitted back to the correspondent A. The correspondent A then 
computes signature s = k"^(h(m) + dr), where r - kP^2^ The signature s and r are then 
transmitted to the other correspondent B, which is then processed by B in the basis 
Similarly if correspondent B wishes to communicate with A it also transmits its public key 
kPp2 to the server, which performs the conversion on the key and sends it back to the 
correspondent B. The correspondent B also computes a signature using r = kP^\ , 

In this embodiment, a helper or an intermediate processor is utilized to perfoim the 
basis conversion, thereby allowing relatively low power computing devices A and B to 
correspond, such as smart cards. Furthermore the cryptographic scheme is not 
compromised since the public key may be transmitted in the clear, without requiring a 
secure communication path between the correspondent and the server. 

Referring to figure 2, in a second embodiment each of the correspondents A and B 
have a respective pubUc key aP represented in terms of basis jSj and bP represented in 
terms of basis The first correspondent A transmits its public key aP to the server H 
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which performs the basis conversion on the element to a representation basis and 
transmits this key aP to the second correspondent B. The second correspondent B 
also transmits its public key hP fii to the server where a basis conversion is performed on 
the key to the basis fii of the first correspondent. The key bP^\ is forwarded to the first 
correspondent A. Each of the correspondents then compute a common key by combining 
its private key with the other correspondents received pubhc key. Thus, A computes 
abP^i and B computes baPi^2- 

The correspondents have now performed a key exchange, each having a shared 
key, although represented in a different basis and only one of the correspondents need 
perform a basis conversion. The common keys may then be used in a conventional 
manner in subsequent steps of the encryption scheme. 

In a third embodiment, again it is assumed that the correspondents A and B operate 
in bases pi and (J2 respectively. The bases pi and P2 may represent any basis. 
Furthermorej we define a field element a such that correspondent A represents the element 
a in terms of the basis pi and correspondent B represents the field element a in terms of 
basis P2, The correspondents make use of a bit string that is a function of a sequence of 
traces of the field element as a shared secret to perform the certain cryptographic 
operations. 

In this embodiment if we let p be a prime and let q =p^, where m >1 . Let Fq be the 
finite field having q elements and Fq"", the n-dimensional extension. The cycUc group G 
of F^" over Fq is generated by the mapping cr{a) = a\as Fq", and is of order «. We 
may then define the trace function of over Fq as 

For brevity, the trace fiinction is simply represented as Tr. The traces Tr(Wpi) and 
Tr((Xp2)» have the property that the trace of an element a represented in terms of a basis pi 
is the same as the trace of the element a represented in terms of basis p2. 

If a key of length n 128 bits is to be constructed, then the traces of odd powers of 

a are taken. The traces, namely Tr(a), Tr( a 3), . . .Tr(a^^^), are either 0 or 1 . Since the 
trace is independent of the representation and it does not matter, which one of the entities 
performs the trace. As an aside it may be noted that we could also use the trace 
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Tr(fi(a)). ..Tr(fk{a)) that is the trace of F(2'') maps to the elements [0,1] or F(2). 
Therefore, f^ maps F (2"") to F (2). In general, any invariant fimction may be utilized for 
the trace. 

In general if F(q") is the finite field and F(q) is the ground field over which it is 
defined, the elements of the finite field can be represented in a number of ways depending 
on the choice of basis. Two common types of basis are polynomial basis and normal 
basis. If p 1 is a polynomial basis, then the basis elements may be represented as 1 , p, 
p^,, . . p""^ , where p is a root or generator. Assuming the fimction f(x) = 0 and f(x) is an 
irreducible of degree n i.e irreducible over the ground field, then, if a field element is 
given by a = ao + aiP^ . . . + an.lp'^'^ the trace is given by 

Tr(a) = ao + aiTr(P) + a2Tr(p^ ) . . . + an-i Tr(p"-^). 

It may be observed that the trace is hnear and if the irreducible f(x) has the form 

x" + g(x) where the degree of g(x) is k, then 
Tr(p0 = 0forj-l,2...n-k-l. 
If the irreducible polynomial is given by 

x" + an.ix^"^ + a„.2x'^'^... + ai 
and if = 0 then Tr(p) - 0, and an-i = 0 and an-2 = 0 then Tr(P^) = 0. The observation is 
that if consecutive coefficients of the field element a are zero then the trace of that number 
of terms is zero. 

Thus, the trace bit string may be used as a shared secret to perform the remaining 
cryptographic operations. In deciding upon a key, the users (correspondents) normally 
select a bit string that is a function of a sequence of traces of a selected field element. For 
example if a bit string (key) of length 3 is desired, the trace of a, a^ could be used. The 
order of the sequence of traces may on occasion be arbitrarily chosen but known to the 
correspondents. The following examples more clearly illustrate the derivation of a key. 

Examplel: In this example the trace of a and is used to create a binary key of 
length 2. 

Basis 1 : The irreducible chosen is f(x) = x^ + x + 1 = 0; x^ = x + 1 
Element a in this basis is a = (1 + x^) then the key = (Tr(a), Tr(a^)) 
Tr(l) -1 + 1^ + 1^-1; (x^ = x^ + x) 
Tr(x) =x + xHx^ 

= x + ^x^ + x^ + x = 0 
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Tr(x^) =x^ + x^ + x* 

= x^ + (x^ + x) + (x^ + xf 
= X + (x^ + x) + x^ = 0 
Tr(a) = Tr(l+x^) = Tr(l) + Tr(x^) =1+0 = 1 
a = a-a^ = (1 + x')(l+x^)' = (1 + x')(l + x^) 

= (l+x^)(l+x + x^) 

= 1 + X + x^ + x^ + x^ + x" 

= l+x + x^ +x'* 

= 0 +x^ + x 

= x^ + x 

Tr(a^) = Tr(x^) + Tr(x) = 0 + 0 = 0 
Thus the key =(1,0) 

Example 2:In this example a different basis is used (basis 2) and a is converted to 
its representation in this basis by (1) finding a root r for the polynomial for basis 1 in the 
representation generated by basis 2, and (2) then evaluating the polynomial representing a 
in basis 1 at r. The traces of a and are calculated in basis 2 to generate the same binary 
key as was created in basis 1 above. 

Basis 2 : The irreducible chosen is g(y) = y^ + y^ + l; y^ = y^+l 

To find a in basis 2, find a root of f(x) = x^ + x + 1 (the irreducible in basis 1) in 

basis 2. 

Note:(y+l)^ + (y+l) + l = y^ + y^ + y + l +y+l + l = 0 + y+l+y+l=0 
Letr = y+ 1, thena = 1 +x^ -> a' = 1 + r' = 1 + (y +1)' = 1 +y^ + 1 =y^ 

Key = (Tr(a'), Tr(a')^); y" = y^ + y = y" + y +1 
Tr(l) =1 + 1 + 1 

Tr(y) =y + y^ + y^ = y + / + y^ + y + l = l 
Tr(y2) =y2 + y^ + y* = y + y^ + y+ 1 +(y^ + y+ if 
= y + 1 + y'* + y^ +1 

= / + y2 + y 
= y^ + y + l +y^ + y= 1 
Tr(a') =Tr(y^) = l 

(a')' = y6 = (y')' = (y' + l)' = y'+l =y2 + y+ 1 + 1 =y' + y 
Tr((a')') =Tr(y' + y) = Tr(y') + Tr(y) = 1 + 1 = 0 
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Thus the key = (1,0) as in basis L 

Referring to figure 3, a key agreement scheme shows the correspondents A and B 
operating in bases pi and ^2 respectively. The bases pi and P2 may represent any basis. 
Furthermore A and B each have the following system parameters, a long term private key 
d and a long-term public key Qa = daP and Qb = dbP, where P is a point on an elliptic 
curve represented in terms of the respective bases. The correspondent A represents P in 
terms of the basis pi and correspondent B represents P in terms of basis p2. In a typical 
Diffie-Hellman key agreement scheme, each of the correspondents A and B generate 
respective ephemeral private keys kA and ke and compute a corresponding short term 
(session) public keys kAPpi and kBPp2. A and B exchange their respective pubUc keys, and 
convert them to their own basis. If the correspondents are low power devices, such as 
smart cards or the like, then basis conversion may be performed by an intermediate 
processor such as described with reference to figures 1 and 2. Alternatively, if the 
correspondents have sufficient compiling power, then basis conversion may be performed 
by the correspondents themselves, according to one of many basis conversion methods. In 
any event, after the basis conversion, correspondent A has B's public key (A^Ppz) pi and B 
has A's public key (^^Ppi) p2. A shared secret is computed in their respective basis by 
computing k^iksP^z) pi-otpi and kB(it^Ppi) p2=ap2. Each of the correspondents takes a 
sequence of traces of their respective field element a to derive a common bit string. 

Applying the method to a signature scheme, the correspondent A generates its 
ephemeral public session key APpi. A trace sequence may be constructed, for example, of 
the x-coordinate ofkP^i producing a bit string T. The bit string is passed through a hash 
function g to derive a signature component r. A second signature component 
s = k"^ {m + dr) is computed, where d is A's long term private key. The signature 
components are transmitted to B for verification. The verifier B computes 
E*ms"^ Pp2+rs'^Q^ p2,= ^^p2 where p2 is the long term public key of A in basis 2. This 
basis conversion could be performed by A using an intermediate H as described earlier. B 
then generates a sequence on the computed value kP^2, and applies the hash function g to 
derive a value r'. If r'=r, then the signature is verified. 

Although the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be apparent to those skilled in the art 
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without departing from the spirit and scope of the invention as outlined in the claims 
appended hereto. 
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